1. Field of the Invention
The present invention relates to transactions and particularly, but not exclusively, to apparatus for use in transactions involving token devices, for example chip and PIN payment cards, and for use in token-less transactions, and to systems and methods involving use of such apparatus.
2. Description of the Related Technology
Card transactions are well known and typically comprise a customer using a credit card, debit card, store card, charge card or the like to buy a product or service either in person or remotely, for example over the telephone or using the Internet.
Originally, credit, debit, store and charge cards, which will hereafter be referred to generally herein as “payment cards”, or simply “cards”, were used by a vendor taking a payment card from a customer and making an imprint of the card details, which were provided in relief on the front side of the card. The customer would then countersign the imprint and the vendor would compare the countersignature with a copy of the account holder's signature, represented on the back side of the card, in order authenticate the transaction.
A significant development in payment card technology came with the introduction of cards carrying magnetic stripes containing information about an account holder and a respective account from where funds can be drawn to honor a transaction carried out using the card. Such cards are still in common use today. The vendor typically takes the card from the customer and ‘swipes’ the card through a magnetic card reader that reads the data from the magnetic stripe. The magnetic card reader typically interacts with a cash register or an electronic point of sale (EPOS) terminal and transmits the information to a remote transaction server associated with the card issuing institution, for example a bank or credit card company. A customer using this kind of payment card is still required to sign an equivalent to a counterfoil of a transaction in order to authenticate the transaction, whereafter the vendor of the product or service compares the signature supplied with a representation of the account holder's signature, which is on the back of the payment card.
The introduction of payment cards carrying a magnetic stripe was a huge step in the cashless transaction industry. A significant benefit was that payment cards could be checked in real time to see if they had been stolen, thereby greatly reducing the opportunity for card fraud. However, on the down side, all retailers and card issuing institutions had to install a brand new information technology infrastructure for reading the cards and managing the transactions. More recently, there has been a second significant change in payment card technology, with a move towards so-called ‘chip and PIN’ payment cards, having an embedded semiconductor device, or “chip”.
The chip includes memory that is programmed, before issue to the account holder, with personal information, respective account information and a personal identification number (PIN). The chip incorporates an embedded program for facilitating secure data read, write and comparison operations. The card also provides an interface for coupling the chip with an appropriate chip and PIN card interface apparatus, which is still commonly referred to as a card “reader”, even though the apparatus is not merely a reader: rather, it has the ability to send data to, and receive data from, or, more generally, to interact with, a chip and PIN card. Accordingly, references herein to a chip and PIN card ‘reader’, or the like, should be taken to mean a device or apparatus that can interact with a chip and PIN card, or the like, at least by transmitting data to and receiving data from the card. Commonly, a chip and PIN card comprises a number of physical pads, or connectors, which are arranged on a surface of the card to make contact with corresponding pads or connectors in a card reader, when the card is physically inserted into the reader.
A typical card reader comprises a slot for receiving a chip and PIN card, a numeric keypad, also known as a TIN pad′, which is used by customers for entering a PIN, and a display for providing visual prompts and progress feedback to customers. A significant difference between a transaction using either an imprint or a magnetic stripe card and a transaction using a chip and PIN card is that, in the latter case, the customer physically interacts with the card reader by entering a PIN while the card is inserted in the card reader. In principle, it is not necessary in a chip and PIN card transaction for the vendor to handle the card at all, which reduces the chance that a vendor can misappropriate any card information.
A chip and PIN card reader can be a standalone device, which can connect directly to the systems of financial institutions, or it may be connected to an EPOS terminal, which initiates or controls the operation of the reader, hi the latter case, for example, the vendor interacts with the EPOS terminal to ‘prime’ the card reader and the customer interacts with the chip and PIN card reader to enter their PIN. Known chip and PIN card readers can be connected to an EPOS terminal using an interface cable, via a wireless communications link, or can be connected directly to financial institutions via a dial-up connection, wireless link or other network access point.
In an exemplary, known chip and PIN card transaction in which the chip and PIN card reader is connected to an EPOS terminal, a vendor enters the details of a desired transaction into an EPOS terminal and selects payment using a chip and PIN card. In response, the card reader displays a prompt for the customer to insert their chip and PIN card into the card reader. When the card reader receives a card, it usually displays a message asking the customer to enter their PIN using the keypad (although there can be an extra step asking the customer to confirm the type of payment that they want to make, for example a credit card payment or a debit card payment). The customer uses the keypad to enter the PIN, the card reader captures the PIN and transmits it to the chip and PIN card. The chip and PIN card compares the received PIN with the stored PIN. The chip and PIN card only permits a transaction to proceed if the received PIN matches the stored PBSf. If the received PEST matches the stored PIN, the card reader or EPOS terminal communicates (where possible, although a certain number of consecutive offline transactions may be allowed on each card), with a transaction server of a card issuing institution, at which the respective customer account is held. If the institution authorizes the transaction, a corresponding message is transmitted to the chip and PIN card reader, an authorization message is sent to the EPOS terminal, the transaction completes and, at some future point in time (or sometimes almost immediately), funds are transferred from the card issuing institution to the vendor.
As yet, not all vendors support chip and PIN card transactions. However, chip and PIN cards are being heavily promoted by card issuing institutions as a way of reducing payment card fraud. Soon, it is believed, most payment card transactions will be chip and PBSf card transactions. As such, chip and PIN card readers will reside in most, if not all, sales establishments. Before being usable in a practical environment, all new chip and PIN card and card reader technology must pass highly stringent compliance testing, to ensure that the products fully comply with required operational and high security specifications. Such specifications include those produced and published by EMVCo LLC.
As with the move to magnetic stripe payment cards, the move to chip and PIN payment cards has required an additional huge investment hi new infrastructure by vendors and card issuing institutions alike. It will be appreciated that such an investment can only be justified with sufficient support from card holders, vendors, and card issuing institutions.